HT4748: OS X Server: Configuring PPTP

Learn about OS X Server: Configuring PPTP
jlgtx

Q: L2TP and PPTP...local vs. network users?

Do these instructions still apply to Yosemite & Server 4.1? Specifically, can local users only use L2TP but not PPTP? There seems to be a lot of misinformation (or lack of information) out there.

Mac Pro, OS X Yosemite (10.10.3), Server 4.1

Posted on May 31, 2015 9:49 PM

Close

Q: L2TP and PPTP...local vs. network users?

  • All replies
  • Helpful answers

  • by jlgtx,

    jlgtx jlgtx Jun 1, 2015 12:35 PM in response to jlgtx
    Level 1 (0 points)
    Jun 1, 2015 12:35 PM in response to jlgtx

    OK...per experimentation, it would appear that L2TP works with Local Users, but PPTP does not. However, the PPTP VPN process should be able to authenticate against the built-in RADIUS server, which does work with Local Users. The question is, how do I make this happen? Google is only vaguely my friend here; I've managed to get the RADIUS service configured:

     

     

    # dseditgroup -o create -n . -r RADIUS com.apple.access_radius

    # radiusconfig -setconfig auth yes

    # radiusconfig -setconfig auth_badpass yes

    # radiusconfig -setconfig auth_goodpass yes

    # radiusconfig -installcerts /etc/certificates/<server_cert_string>.key.pem /etc/certificates/<server_cert_string>.cert.pem /etc/certificates/<server_cert_string>.chain.pem

    # radiusconfig -setcertpassword

    Enter Certificate Passphrase: Apple:UseCertAdmin

    # radiusconfig -start

     

     

    After adding a user "testuser" to the com.apple.access_radius group, I can then run a successful test using the built-in configuration for localhost:

     

     

    # time echo "User-Name=testuser,User-password=testpass,Framed-Protocol=PPP " | radclient -x -r 1 -t 10 localhost:1812 auth testing123

    Sending Access-Request of id 106 to 127.0.0.1 port 1812

      User-Name = "testuser"

      User-Password = "testpass"

      Framed-Protocol = PPP

    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=106, length=32

      Framed-Protocol = PPP

      Framed-Compression = Van-Jacobson-TCP-IP

     

     

    real 0m6.658s

    user 0m0.018s

    sys 0m0.009s

     

     

    One concerning issue is the fact that it takes almost 7 seconds for the RADIUS server to respond, but at least it does work.

     

     

    Now I need to configure PPTP to use the RADIUS server. I create a text file "vpnrad" with the following contents:

     

     

    vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "testing123"

    vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "127.0.0.1:1812"

     

     

    Then I use "serveradmin settings < vpnrad" to pull those settings into the VPN config. That works. But the PPTP service doesn't appear to be hitting the RADIUS service at all. I've tried the "Address" key both with and without the port (1812) tagged onto it, same behavior either way. The RADIUS log shows no hits, and the VPN log shows:

     

     

    2015-06-01 14:15:40 CDT Incoming call... Address given to client = 10.0.77.95

    Mon Jun  1 14:15:41 2015 : Directory Services Authentication plugin initialized

    Mon Jun  1 14:15:41 2015 : Directory Services Authorization plugin initialized

    Mon Jun  1 14:15:41 2015 : publish_entry SCDSet() failed: Success!

    Mon Jun  1 14:15:41 2015 : publish_entry SCDSet() failed: Success!

    Mon Jun  1 14:15:41 2015 : publish_entry SCDSet() failed: Success!

    Mon Jun  1 14:15:41 2015 : PPTP incoming call in progress from '50.24.10.202'...

    Mon Jun  1 14:15:41 2015 : PPTP connection established.

    Mon Jun  1 14:15:41 2015 : using link 1

    Mon Jun  1 14:15:41 2015 : Using interface ppp1

    Mon Jun  1 14:15:41 2015 : Connect: ppp1 <--> socket[34:17]

    Mon Jun  1 14:15:41 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:15:41 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:41 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:15:41 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:44 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:15:44 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:44 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:15:44 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:47 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:15:47 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:47 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:15:47 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:50 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:15:50 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:50 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:15:50 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:53 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:15:53 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:53 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:15:53 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:56 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:15:56 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:56 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:15:56 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:59 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:15:59 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:15:59 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:15:59 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:16:02 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:16:02 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:16:02 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:16:02 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:16:05 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:16:05 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:16:05 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:16:05 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:16:08 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

    Mon Jun  1 14:16:08 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:16:08 2015 : lcp_reqci: returning CONFACK.

    Mon Jun  1 14:16:08 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

    Mon Jun  1 14:16:11 2015 : LCP: timeout sending Config-Requests

    Mon Jun  1 14:16:11 2015 : Connection terminated.

    Mon Jun  1 14:16:11 2015 : PPTP disconnecting...

    Mon Jun  1 14:16:11 2015 : PPTP disconnected

    2015-06-01 14:16:11 CDT   --> Client with address = 10.0.77.95 has hungup

  • by jlgtx,

    jlgtx jlgtx Jun 2, 2015 11:55 AM in response to jlgtx
    Level 1 (0 points)
    Jun 2, 2015 11:55 AM in response to jlgtx

    This is the VPN log output when a Local User tries to connect via PPTP:

     

     

    2015-06-02 13:49:40 CDT

    Incoming call... Address given to client = 10.0.77.101

    Tue Jun  2 13:49:40 2015 : Directory Services Authentication plugin initialized

    Tue Jun  2 13:49:40 2015 : Directory Services Authorization plugin initialized

    Tue Jun  2 13:49:40 2015 : publish_entry SCDSet() failed: Success!

    Tue Jun  2 13:49:40 2015 : publish_entry SCDSet() failed: Success!

    Tue Jun  2 13:49:40 2015 : publish_entry SCDSet() failed: Success!

    Tue Jun  2 13:49:40 2015 : PPTP incoming call in progress from '70.196.78.203'...

    Tue Jun  2 13:49:41 2015 : PPTP connection established.

    Tue Jun  2 13:49:41 2015 : using link 0

    Tue Jun  2 13:49:41 2015 : Using interface ppp0

    Tue Jun  2 13:49:41 2015 : Connect: ppp0 <--> socket[34:17]

    Tue Jun  2 13:49:41 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]

    Tue Jun  2 13:49:41 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

    Tue Jun  2 13:49:41 2015 : lcp_reqci: returning CONFACK.

    Tue Jun  2 13:49:41 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

    Tue Jun  2 13:49:44 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]

    Tue Jun  2 13:49:44 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

    Tue Jun  2 13:49:44 2015 : lcp_reqci: returning CONFACK.

    Tue Jun  2 13:49:44 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

    Tue Jun  2 13:49:44 2015 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]

    Tue Jun  2 13:49:44 2015 : sent [LCP EchoReq id=0x0 magic=0x733b2b1a]

    Tue Jun  2 13:49:44 2015 : sent [CHAP Challenge id=0x10 <681a6b63727e7b1d0242010c1f172511>, name = "server_fqdn.com"]

    Tue Jun  2 13:49:44 2015 : rcvd [LCP EchoReq id=0x0 magic=0x17d149d0]

    Tue Jun  2 13:49:44 2015 : sent [LCP EchoRep id=0x0 magic=0x733b2b1a]

    Tue Jun  2 13:49:44 2015 : rcvd [LCP EchoRep id=0x0 magic=0x17d149d0]

    Tue Jun  2 13:49:44 2015 : rcvd [CHAP Response id=0x10 <8fb162434e91ead66ff3bd6344cf461e000000000000000009f982e07a158a7c31d62a7c2571fc e4113c5967ab32305300>, name = "testuser"]

    Tue Jun  2 13:49:52 2015 : DSAuth plugin: unsupported authen authority: recved Kerberosv5;;testuser@LKDC:SHA1.48C48F920285753FE8EC5A1DE8113FF79618CC46;LKDC:SH A1.48C48F920285753FE8EC5A1DE8113FF79618CC46, want ApplePasswordServer

    Tue Jun  2 13:49:52 2015 : DSAuth plugin: MPPE key required, but its retrieval failed.

    Tue Jun  2 13:49:52 2015 : sent [CHAP Failure id=0x10 "S=A6417FB4D646E7ACFA53B70F24AACCCDB754BD4C M=Access granted"]

    Tue Jun  2 13:49:52 2015 : CHAP peer authentication failed for textures

    Tue Jun  2 13:49:52 2015 : sent [LCP TermReq id=0x2 "Authentication failed"]

    Tue Jun  2 13:49:52 2015 : Connection terminated.

    Tue Jun  2 13:49:52 2015 : PPTP disconnecting...

    Tue Jun  2 13:49:52 2015 : PPTP disconnected

    2015-06-02 13:49:52 CDT   --> Client with address = 10.0.77.101 has hungup